HSCC issues ‘Model Contract Language’ template to safeguard HDOs, MDMs from cybersecurity threats, risks

The Healthcare and Public Health Sector Coordinating Council (HSCC) has rolled out a ‘Model Contract Language’ that provides a reference for shared cooperation and coordination between healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs). The template addresses the security, compliance, management, operation, services, and security of MDM-managed medical devices, solutions, and connections. It also serves as a basis for agreeing on cybersecurity contractual terms and conditions to reduce cost, complexity, and time in the contracting process and works towards improving patient safety. 

“This Model Contract Language is intended to minimize security risks and ensure the confidentiality, integrity, and availability (CIA) of HDO healthcare technologies, infrastructures, and information,” the HSCC said in its document titled ‘Model Contract-language for Medtech Cybersecurity.’ The Model Contract Language “articulates adequate security of HDO information being stored, transferred, or accessed and provides that all network access, medical devices, services, and solutions satisfy the mission, security, and compliance requirements of the HDO,” it added.

MDMs, HDOs, and group purchasing organizations have been encouraged to closely review the contract language and adopt as much as is appropriate for the organization, HSCC said. The more uniformity and predictability the sector can achieve in cross-enterprise cybersecurity management expectations, the greater strides it will make toward patient safety and a more secure and resilient healthcare system, it added.

The HSCC has been recognized by the U.S. Department of Health and Human Services as a critical infrastructure industry partner for coordinating strategic, policy, and operational approaches to prepare for, respond to, and recover from significant cyber and physical threats to the ability of the sector to deliver critical assets and services to the public. In addition, the agency joins with the Department and other federal agencies to identify and mitigate systemic risks that affect patient safety, security, and privacy, and consequently, national confidence in the healthcare system.  

The agency recently assessed that the threat landscape involved a sustained volume of threats and impact of cyber-attacks against the sector with ransomware unrelenting. It also detected insufficient visibility on critical suppliers and their cyber risk and preparedness and inadequate rigorous methods for measuring patient impact from cyber events, but efforts are underway. Additional factors included continued concern about attenuating security in legacy medical devices, shortage of skilled cybersecurity professionals available to the sector, and healthcare clinicians informed and responsible about cybersecurity.

The template assesses that medical device cybersecurity responsibility and accountability between the MDMs and HDOs are complicated by several conflicting factors, the HSCC said. These include uneven MDM capabilities and investment in cybersecurity controls built into device design and production, varying expectations for cybersecurity among HDOs, and high cybersecurity management costs in the HDO operational environment throughout the device lifecycle. 

In addition, the factors have introduced and sustained ambiguities in cybersecurity accountability between MDMs and HDOs, which historically have been reconciled at best inconsistently in the purchase contract negotiation process, leading to downstream disputes and potential patient safety implications.

HSCC said that the Model Contract Language contains security and privacy agreement clauses. “Both parties need to understand their responsibilities to each other in protecting the privacy and security of the healthcare systems they will connect and the information required to service, store and transmit. In addition to assigning specific responsibilities to MDMs, the model contract language outlines security safeguards, including security by design, medical device software maintenance, access, administrative, operational, technical requirements, and transparency,” it added. 

The recommended language of the template is intended to approximate most commonly used cybersecurity contract terms and conditions between MDMs and HDOs. However, it is not comprehensive, recognizing occasional unique situations requiring additional negotiation, HSCC said. 

“It is also recognized that the wording in some recommended clauses may be modified during contract negotiations,” the HSCC said. “Ultimately, the Health Sector Coordinating Council believes that as model contract language ‘pre-negotiated’ extensively over 18 months among some of the nation’s largest MDM and HDO organizations, this resource will serve as a scalable template for large, medium and small organizations,” it added.

HSCC said that it would in the coming weeks publish best practices guidance for medical device vulnerability communications to the patient audience.

The HSCC template came as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued two ICS Medical Advisories that warned of vulnerabilities in two products from Becton, Dickinson and Company (BD). 

In the first advisory, a vulnerability has been identified in the use of hard-coded credentials of the Viper LT hardware, which when exploited, could allow an attacker to access, modify, or delete sensitive information. “BD is working to remediate the hard-coded credentials vulnerability in the BD Viper LT system and is providing this information to increase awareness. The fix is expected in an upcoming BD Viper LT system Version 4.80 software release,” CISA said.

CISA revealed that BD’s Pyxis equipment has a ‘use of hard-coded credentials’ vulnerability that, when exploited, can allow an attacker to gain access to electronic protected health information (ePHI) or other sensitive information. “BD is in the process of strengthening credential management capabilities in BD Pyxis devices,” CISA said in the advisory.

Last month, cybersecurity company Sectrio data revealed that the U.S. had retained the tag of being the most targeted nation in the world last year, registering a 71 percent increase in attacks over 2020. Energy, healthcare, manufacturing, utilities, maritime, and defense were the most targeted sectors. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.